Skip to content

C
charts
Commit 2455ccb4 by Guangbo Chen
Options

added vault-operator chart

parent 0b58e006
Showing with 636 additions and 0 deletions
charts/vault-operator/v0.1.0/.helmignore 0 → 100644
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
charts/vault-operator/v0.1.0/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Vault, a tool for managing secrets
name: vault-operator
version: 0.1.0
icon: https://www.vaultproject.io/assets/images/mega-nav/logo-vault-0f83e3d2.svg
home: https://www.vaultproject.io/
appVersion: 0.9.1
charts/vault-operator/v0.1.0/README.md 0 → 100644
## Overview
The Vault operator deploys and manages [Vault][vault] clusters on Kubernetes. Vault instances created by the Vault operator are highly available and support automatic failover and upgrade.
### Project status: beta
The basic features have been completed, and while no breaking API changes are currently planned, the API can change in a backwards incompatible way before the project is declared stable.
## Configuration
Parameter | Description | Default
--------- | ----------- | -------
`rbac.create` | If true, create & use RBAC resources | `true`
`serviceAccounts.create` | If true, create the values-operator service account | `true`
`imagePullPolicy` | all containers image pull policy | `IfNotPresent`
`vaultOperator.replicaCount` | desired number of vault operator controller pod | `1`
`vaultOperator.image.repository` | vault operator container image repository | `quay.io/coreos/vault-operator`
`vaultOperator.image.tag` | vault operator container image tag | `latest`
`vaultOperator.resources` | vault operator pod resource requests & limits | `{}`
`vaultOperator.nodeSelector` | node labels for vault operator pod assignment | `{}`
`vault.node` | desired number of vault cluster nodes | `2`
`vault.version` | vault app version | `0.9.1-0`
`etcd.image.repository` | etcd container image repository | `quay.io/coreos/etcd-operator`
`etcd.image.tag` | etcd container image tag | `v0.8.3`
`ui.replicaCount` | desired number of Vault UI pod | `1`
`ui.image.repository` | Vault UI container image repository | `djenriquez/vault-ui`
`ui.image.tag` | Vault UI container image tag | `latest`
`ui.resources` | Vault UI pod resource requests & limits | `{}`
`ui.nodeSelector` | node labels for Vault UI pod assignment | `{}`
`ui.ingress.enabled` | If true, Vault UI Ingress will be created | `false`
`ui.ingress.annotations` | Vault UI Ingress annotations | `{}`
`ui.ingress.hosts` | Vault UI Ingress hostnames | `[]`
`ui.ingress.tls` | Vault UI Ingress TLS configuration (YAML) | `[]`
`ui.vault.auth` | Vault UI login method | `TOKEN`
`ui.service.name` | Vault UI service name | `vault-ui`
`ui.service.type` | type of ui service to create | `ClusterIP`
`ui.service.externalPort` | Vault UI service target port | `8000`
`ui.service.internalPort` | Vault UI container port | `8000`
`ui.service.nodePort` | Port to be used as the service NodePort (ignored if `server.service.type` is not `NodePort`) | `0`
## Using the Vault cluster
See the [Vault usage guide](./doc/user/vault.md) on how to initialize, unseal, and use the deployed Vault cluster.
Consult the [monitoring guide](./doc/user/monitoring.md) on how to monitor and alert on a Vault cluster with Prometheus.
See the [recovery guide](./doc/user/recovery.md) on how to backup and restore Vault cluster data using the etcd opeartor
For an overview of the default TLS configuration or how to specify custom TLS assets for a Vault cluster see the [TLS setup guide](doc/user/tls_setup.md).
[vault]: https://www.vaultproject.io/
[etcd-operator]: https://github.com/coreos/etcd-operator/
charts/vault-operator/v0.1.0/app-readme.md 0 → 100644
# Vault Operator
Run and manage Vault on Kubernetes simply and securely.
### Prerequisites
- Kubernetes 1.8+
charts/vault-operator/v0.1.0/questions.yml 0 → 100644
categories:
- security
questions:
- variable: defaultImage
default: "true"
description: "Use default Docker image"
label: Use Default Image
type: boolean
show_subquestion_if: false
group: "Container Images"
subquestions:
- variable: vaultOperator.image.repository
default: "quay.io/coreos/vault-operator"
description: "Vault image name"
type: string
label: Vault Operator Image Name
- variable: vaultOperator.image.tag
default: "latest"
description: "Values operator image tag"
type: string
label: Vault Operator Image Tag
- variable: ui.image.repository
default: "djenriquez/vault-ui"
description: "Vault image name"
type: string
label: Vault UI Image Name
- variable: ui.image.tag
default: "latest"
description: "Values UI image tag"
type: string
label: Vault UI Image Tag
- variable: etcd.image.repository
default: "quay.io/coreos/etcd-operator"
description: "etcd image name"
type: string
label: etcd Image Name
- variable: etcd.image.tag
default: "v0.8.3"
description: "etcd image tag"
type: string
label: etcd Image Tag
- variable: ui.ingress.enabled
default: true
description: "Expose Vault-UI using Layer 7 Load Balancer - ingress"
type: boolean
group: "Vault UI"
label: Expose Vault-UI using Layer 7 Load Balancer
show_subquestion_if: true
required: true
subquestions:
- variable: ui.ingress.hosts[0]
default: "xip.io"
description: "Vault-UI server ingress hostname"
type: hostname
required: true
label: Hostname
- variable: ui.service.type
default: "NodePort"
description: "Server service type"
group: "Vault UI"
type: enum
show_if: "ui.ingress.enabled=false"
options:
- "ClusterIP"
- "NodePort"
required: true
label: Vault UI Service Type
show_subquestion_if: "NodePort"
subquestions:
- variable: ui.service.nodePort
default: ""
description: "NodePort http port(to set explicitly, choose port between 30000-32767)"
type: int
min: 30000
max: 32767
show_if: "ui.ingress.enabled=false"
label: Vault UI NodePort Http Port
charts/vault-operator/v0.1.0/templates/NOTES.txt 0 → 100644
## Configure port forwarding between the local machine and the first sealed Vault node:
1. kubectl -n {{ .Release.Namespace }} get vault {{ .Release.Name }} -o jsonpath='{.status.vaultStatus.sealed[0]}' | xargs -0 -I {} kubectl -n {{ .Release.Namespace }} port-forward {} 8200
2. Open a new terminal.
3. Export the following environment for Vault CLI environment:
```
export VAULT_ADDR='https://127.0.0.1:8200'
export VAULT_SKIP_VERIFY="true"
```
4. Verify that the Vault server is accessible using the Vault CLI:
```
$vault status
Error checking seal status: Error making API request.
URL: GET https://127.0.0.1:8200/v1/sys/seal-status
Code: 400. Errors:
* server is not yet initialized
```
5.Initialize the Vault server to generate the unseal keys and the root token. (https://www.vaultproject.io/intro/getting-started/deploy.html#initializing-the-vault)
$vault operator init
## Unsealing a sealed node
https://www.vaultproject.io/intro/getting-started/deploy.html#seal-unseal
```
$ vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Sealed true
Total Shares 5
Unseal Progress 1/3
Unseal Nonce 786e7190-d1e2-84d2-520c-022efee5b71e
Version (version unknown)
HA Enabled true
HA Mode sealed
```
Continue with vault unseal to complete unsealing the Vault, normally 3 keys out of 5 unseal keys.
charts/vault-operator/v0.1.0/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vault-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "vault-operator.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Define vault operator service account name
*/}}
{{- define "vault-operator.sa" -}}
{{- printf "%s-sa" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Define vault operator role name
*/}}
{{- define "vault-operator.role" -}}
{{- printf "%s-role" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Define vault operator rolebinding name
*/}}
{{- define "vault-operator.rolebinding" -}}
{{- printf "%s-rolebinding" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Define vault ui fullname
*/}}
{{- define "vault.ui.fullname" -}}
{{- printf "%s-ui" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Define vault service url for the ui
*/}}
{{- define "vault.service.url" -}}
{{- printf "https://%s:8200" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
charts/vault-operator/v0.1.0/templates/etcd-operator-deploy.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: {{ .Release.Name }}-etcd-operator
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
name: etcd-operator
spec:
replicas: 1
template:
metadata:
labels:
app: {{ template "vault-operator.name" . }}
release: {{ .Release.Name }}
name: etcd-operator
spec:
serviceAccountName: {{ template "vault-operator.sa" . }}
containers:
- name: etcd-operator
image: "{{ .Values.etcd.image.repository }}:{{ .Values.etcd.image.tag }}"
imagePullPolicy: {{ .Values.imagePullPolicy }}
command:
- etcd-operator
- "--create-crd=false"
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
charts/vault-operator/v0.1.0/templates/etcd_crds.yaml 0 → 100644
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: etcdclusters.etcd.database.coreos.com
spec:
group: etcd.database.coreos.com
names:
kind: EtcdCluster
listKind: EtcdClusterList
plural: etcdclusters
shortNames:
- etcd
singular: etcdcluster
scope: Namespaced
version: v1beta2
charts/vault-operator/v0.1.0/templates/rbac.yaml 0 → 100644
{{- if .Values.rbac.create }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ template "vault-operator.role" . }}
rules:
- apiGroups:
- etcd.database.coreos.com
resources:
- etcdclusters
- etcdbackups
- etcdrestores
verbs:
- "*"
- apiGroups:
- vault.security.coreos.com
resources:
- vaultservices
verbs:
- "*"
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- "*"
- apiGroups:
- "" # "" indicates the core API group
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployments
verbs:
- "*"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ template "vault-operator.rolebinding" . }}
subjects:
- kind: ServiceAccount
name: {{ template "vault-operator.sa" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ template "vault-operator.role" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
charts/vault-operator/v0.1.0/templates/serviceaccount.yaml 0 → 100644
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault-operator.sa" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- end }}
charts/vault-operator/v0.1.0/templates/ui-ingress.yaml 0 → 100644
{{- if .Values.ui.ingress.enabled -}}
{{- $serviceName := include "vault.ui.fullname" . -}}
{{- $servicePort := .Values.ui.service.externalPort -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "vault.ui.fullname" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ui.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ui.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: /
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ui.ingress.tls }}
tls:
{{ toYaml .Values.ui.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
charts/vault-operator/v0.1.0/templates/ui-service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.ui.fullname" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.ui.service.type }}
ports:
- port: {{ .Values.ui.service.externalPort }}
targetPort: {{ .Values.ui.service.internalPort }}
protocol: TCP
name: {{ .Values.ui.service.name }}
{{- if .Values.ui.service.nodePort }}
nodePort: {{ .Values.ui.service.nodePort }}
{{- end }}
selector:
app: {{ template "vault-operator.name" . }}
release: {{ .Release.Name }}
component: {{ .Values.ui.name }}
charts/vault-operator/v0.1.0/templates/vault-operator-deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: {{ template "vault-operator.fullname" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: {{ template "vault-operator.name" . }}
release: {{ .Release.Name }}
name: vault-operator
spec:
serviceAccountName: {{ template "vault-operator.sa" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.vaultOperator.image.repository }}:{{ .Values.vaultOperator.image.tag }}"
imagePullPolicy: {{ .Values.imagePullPolicy }}
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
resources:
{{ toYaml .Values.vaultOperator.resources | indent 12 }}
{{- if .Values.vaultOperator.nodeSelector }}
nodeSelector:
{{ toYaml .Values.vaultOperator.nodeSelector | indent 8 }}
{{- end }}
charts/vault-operator/v0.1.0/templates/vault-service.yaml 0 → 100644
apiVersion: vault.security.coreos.com/v1alpha1
kind: VaultService
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
spec:
nodes: {{ .Values.vault.node }}
version: {{ .Values.vault.version }}
charts/vault-operator/v0.1.0/templates/vault-ui-deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: {{ template "vault.ui.fullname" . }}
labels:
app: {{ template "vault-operator.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: {{ .Values.ui.name }}
spec:
replicas: {{ .Values.ui.replicaCount }}
template:
metadata:
labels:
app: {{ template "vault-operator.name" . }}
release: {{ .Release.Name }}
component: {{ .Values.ui.name }}
spec:
containers:
- name: {{ .Values.ui.name }}
image: "{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag }}"
imagePullPolicy: {{ .Values.imagePullPolicy }}
env:
- name: VAULT_URL_DEFAULT
{{- if .Values.ui.vault.url }}
value: {{ .Values.ui.vault.url }}
{{ else }}
value: {{ template "vault.service.url" . }}
{{- end }}
- name: VAULT_AUTH_DEFAULT
value: {{ .Values.ui.vault.auth }}
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: '0'
ports:
- containerPort: {{ .Values.ui.service.internalPort }}
livenessProbe:
httpGet:
path: /
port: {{ .Values.ui.service.internalPort }}
readinessProbe:
httpGet:
path: /
port: {{ .Values.ui.service.internalPort }}
resources:
{{ toYaml .Values.ui.resources | indent 12 }}
{{- if .Values.ui.nodeSelector }}
nodeSelector:
{{ toYaml .Values.ui.nodeSelector | indent 8 }}
{{- end }}
charts/vault-operator/v0.1.0/templates/vault_crd.yaml 0 → 100644
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: vaultservices.vault.security.coreos.com
spec:
group: vault.security.coreos.com
names:
kind: VaultService
listKind: VaultServiceList
plural: vaultservices
shortNames:
- vault
singular: vaultservice
scope: Namespaced
version: v1alpha1
charts/vault-operator/v0.1.0/values.yaml 0 → 100644
# Default values for vault-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
rbac:
create: true
serviceAccount:
create: true
imagePullPolicy: IfNotPresent
vaultOperator:
replicaCount: 1
image:
repository: quay.io/coreos/vault-operator
tag: latest
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
vault:
node: 2
version: "0.9.1-0"
ui:
name: "vault-ui"
replicaCount: 1
image:
repository: djenriquez/vault-ui
tag: latest
service:
name: vault-ui
type: ClusterIP
externalPort: 8000
internalPort: 8000
# nodePort: 32001
ingress:
enabled: true
# Used to create Ingress record (should used with service.type: ClusterIP).
hosts:
- xip.io
annotations:
# AWS --> redirect http to https
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/force-ssl-redirect: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
#requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
vault:
auth: TOKEN
etcd:
name: etcd
image:
repository: quay.io/coreos/etcd-operator
tag: v0.8.3
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment